Project

General

Profile

Actions

Optimization #7769

open

DetectFileHashParse: remove redundant de_ctx->rule_file != NULL check

Added by Boris Tonofa about 2 months ago. Updated 16 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
medium
Difficulty:
Label:

Description

When Suricata parses rules it invokes DetectFileHashParse() to turn a filemd5/sha1/sha256 keyword into an in-memory hash table. If the rules are supplied from memory, the parser context field de_ctx->rule_file is NULL; nevertheless the code still executes SCStrdup(de_ctx->rule_file). Because strdup(NULL) dereferences a null pointer inside strlen(), Suricata crashes with SIGSEGV during the rule-loading phase.

Actions #1

Updated by Boris Tonofa about 1 month ago

  • Subject changed from DetectFileHashParse crashes when de_ctx->rule_file is NULL (strdup → SIGSEGV) to DetectFileHashParse: remove redundant de_ctx->rule_file != NULL check

In DetectFileHashParse the static analyzer reports a warning for

rule_filename = SCStrdup(de_ctx->rule_file);

because a few lines later the code still performs

if (de_ctx->rule_file != NULL) {
    
}

de_ctx->rule_file is already guaranteed to be non-NULL at this point, so the run-time check is redundant. Remove the if (de_ctx->rule_file != NULL) block to eliminate the false positive and simplify the codebase.

Actions #2

Updated by Philippe Antoine about 1 month ago

  • Status changed from New to In Review
Actions #3

Updated by Philippe Antoine 23 days ago

  • Affected Versions deleted (6.0.13, 7.0.0, 6.0.14, 7.0.1, 6.0.15, 7.0.2, 6.0.16, 7.0.3, 6.0.17, 7.0.4, 6.0.18, 6.0.19, 7.0.5, 6.0.20, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 8.0.0-beta1, 8.0.0-rc1, 7.0.11, 7.0.12, 8.0.1, TBD, git master)
Actions #4

Updated by Philippe Antoine 16 days ago

  • Tracker changed from Bug to Optimization
  • Target version changed from TBD to 8.0.1
  • Affected Versions deleted (8.0.0)
Actions

Also available in: Atom PDF